A Trojan for Android designed to steal user login credentials needed to access online banking programs and to steal money from victims’ bank accounts. Android.SmsSpy.88.origin is distributed under the guise of benign applications—for example, Adobe Flash Player.

When launched, the Trojan prompts the user to grant it administrative privileges:

The Trojan is distributed under the guise of a benign application, for example, Adobe Flash Player. Once launched, the Trojan prompts the user to grant it administrator privileges. It then turns on the Wi-Fi module and checks every second whether a Wi-Fi or cellular connection has been established. If no connection is made, Android.SmsSpy.88.origin enables these communication channels once again.

Then the Trojan sends the following information to the command and control server:

Infected device's unique identifier generated by the Trojan

IMEI identifier

Current system language

Mobile network operator

OS version

Mobile device model

Cell phone number

Stealing authentication information

The configuration file of Android.SmsSpy.88.origin contains a list of online banking applications and links to phishing dialog templates for these applications. For example:

Android.SmsSpy.88.origin keeps track of when any of the above-listed applications are launched. If a launch is detected, the Trojan downloads a phishing input form from the server and displays it on top of the running application. All information entered by the user is then sent to cybercriminals. Phishing dialogs may look as follows:

Stealing credit card information

Android.SmsSpy.88.origin also attempts to steal user bank card information by tracking the launch of the following applications specified in its configuration (this list can different application names depending on the Trojan’s modification):

com.android.vending;

com.viber.voip;

com.whatsapp;

com.skype.raider;

com.facebook.orca;

com.facebook.katana;

com.instagram.android;

com.android.chrome;

com.twitter.android;

com.google.android.gm;

com.android.calendar;

jp.naver.line.android.

Once the Trojan detects that one of the above-mentioned applications is running, it displays a bogus dialog resembling the one used to make purchases on Google Play, prompting the user to enter their bank card information:

All the entered information is then transmitted to the server.

Command executing

Android.SmsSpy.88.origin can receive the following commands from the server:

rent&&&—start intercepting all incoming SMS messages;

sms_stop&&&—stop intercepting incoming SMS messages;

sent&&&—send a text message;

ussd&&&—send the USSD request;

delivery&&&—send SMS messages to all contact list numbers;

apiserver—change the address of the command and control server;

appmass—send an MMS message;

windowStop—add a specified application to the exclusion list so that when that application is launched, a phishing dialog is not displayed;

windowStart—delete a specified application from the exclusion lists;

windowsnew—download an updated executable file containing a list of attacked applications from the server;

UpdateInfo—send information about all installed applications to the server;

freedialog—display a template-based dialog using WebView (this command is applied to activate the screen lock function)

freedialogdisable—cancel the display of the WebView dialog;

adminPhone—change the phone number used to send SMS messages that repeat commands;

killStart—set the password for ScreenLock;

killStop—clear the password from ScreenLock;

upload_sms—send all saved SMS messages to the server;

notification—display a notification with the received parameters.

The Trojan can also receive the rent&&&, sent&&&, ussd&&&, killStart, and killStop commands as text messages from cybercriminals.

If a command is executed successfully, the malicious program reports this information to the server by sending the POST request:

Resistance to anti-virus software

Android.SmsSpy.88.origin tries to hinder the work of some anti-virus programs and service utilities, preventing them from launching. Depending on the Trojan modification involved, these programs can include:

com.cleanmaster.security;

com.cleanmaster.mguard;

com.piriform.ccleaner;

com.cleanmaster.mguard_x86;

com.cleanmaster.sdk;

com.cleanmaster.boost;

com.drweb;

com.qihoo.security;

com.kms.free;

com.eset.ems2.gp;

com.qihoo.security.lite;

com.symantec.mobilesecurity;

com.dianxinos.optimizer.duplay.

Names of banking applications attacked

The following online banking applications are currently known to be attacked by the Trojan:

Curing recommendations

Android

If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.

If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:

Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);

Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;